Add setup-flow

2026-03-21 03:12:13 +01:00
parent 80a2f662dc
commit dd044cf5d0
17 changed files with 519 additions and 37 deletions
--- a/internal/api/middleware/auth.go
+++ b/internal/api/middleware/auth.go
@@ -22,13 +22,11 @@ func AuthMiddleware() gin.HandlerFunc {

 		var tokenString string

-		// 🔥 1. Try cookie first (NEW)
 		cookie, err := c.Cookie("auth_token")
 		if err == nil && cookie != "" {
 			tokenString = cookie
 		}

-		// 🔥 2. Fallback to Authorization header (for API tools / future SPA)
 		if tokenString == "" {
 			authHeader := c.GetHeader("Authorization")

@@ -40,13 +38,11 @@ func AuthMiddleware() gin.HandlerFunc {
 			}
 		}

-		// ❌ No token at all
 		if tokenString == "" {
 			abortUnauthorized(c)
 			return
 		}

-		// 🔐 Parse JWT
 		claims := &Claims{}
 		token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
 			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
--- a/internal/db/db.go
+++ b/internal/db/db.go
@@ -13,7 +13,13 @@ import (

 func Connect() (*gorm.DB, error) {
 	dbType := os.Getenv("DB_TYPE")
+	if dbType == "" {
+		dbType = "sqlite"
+	}
 	dsn := os.Getenv("DATABASE_URL")
+	if dbType == "sqlite" && dsn == "" {
+		dsn = "./data/database.db"
+	}

 	switch dbType {
 	case "sqlite":
--- a/internal/file/model.go
+++ b/internal/file/model.go
@@ -7,6 +7,7 @@ import (
 type FileRecord struct {
 	ID                  string    `gorm:"primaryKey" json:"id"`
 	DeletionID          string    `json:"deletion_id"`
+	ViewID              string    `json:"view_id"`
 	Filename            string    `json:"filename"`
 	Path                string    `json:"-"` // file path on disk (not exposed via JSON)
 	ExpiresAt           time.Time `json:"expires_at"`
--- a/internal/file/service.go
+++ b/internal/file/service.go
@@ -3,6 +3,7 @@ package file
 import (
 	"io"
 	"os"
+	"path/filepath"
 	"time"

 	"github.com/google/uuid"
@@ -29,7 +30,8 @@ func (s *Service) UploadFile(filename string, data io.Reader, deleteAfterDownloa
 		return nil, err
 	}

-	path := folderPath + "/" + filename
+	safeName := uuid.NewString() + filepath.Ext(filename)
+	path := filepath.Join(folderPath, safeName)

 	out, err := os.Create(path)
 	if err != nil {
--- a/internal/user/errors.go
+++ b/internal/user/errors.go
@@ -3,3 +3,5 @@ package user
 import "errors"

 var ErrUserNotFound = errors.New("user not found")
+var ErrPasswordsDoNotMatch = errors.New("Incorrect old password")
+var ErrInvalidPassword = errors.New("invalid password")
--- a/internal/user/handler.go
+++ b/internal/user/handler.go
@@ -1,6 +1,10 @@
 package user

-import "github.com/gin-gonic/gin"
+import (
+	"fmt"
+
+	"github.com/gin-gonic/gin"
+)

 type Handler struct {
 	service *Service
@@ -30,3 +34,55 @@ func (h *Handler) Register(c *gin.Context) {

 	c.JSON(201, gin.H{"id": user.ID, "username": user.Username, "role": user.Role})
 }
+
+func (h *Handler) ChangePassword(c *gin.Context) {
+	var req struct {
+		OldPassword string `json:"old_password"`
+		NewPassword string `json:"new_password"`
+	}
+
+	userID, exists := c.Get("user_id")
+	if !exists {
+		fmt.Println("User ID not found in context")
+		c.JSON(401, gin.H{"error": "unauthorized"})
+		return
+	}
+
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(400, gin.H{"error": "invalid request"})
+		return
+	}
+
+	err := h.service.ChangePassword(userID.(string), req.OldPassword, req.NewPassword)
+	if err != nil {
+		c.JSON(500, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(200, gin.H{"message": "password changed successfully"})
+}
+
+func ForcePasswordChangeMiddleware(userService *Service) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		userID, exists := c.Get("user_id")
+		if !exists {
+			c.Next()
+			return
+		}
+
+		user, err := userService.FindByID(userID.(string))
+		if err != nil {
+			c.AbortWithStatus(500)
+			return
+		}
+
+		// Allow access to change password page itself
+		if user.ForceChangePassword && c.Request.URL.Path != "/change-password" {
+			c.Redirect(302, "/change-password")
+			c.Abort()
+			return
+		}
+
+		c.Next()
+	}
+}
--- a/internal/user/model.go
+++ b/internal/user/model.go
@@ -4,7 +4,8 @@ import "gorm.io/gorm"

 type User struct {
 	gorm.Model
-	Username     string `gorm:"uniqueIndex;not null"`
-	PasswordHash string `gorm:"not null"`
-	Role         string `gorm:"not null"`
+	Username            string `gorm:"uniqueIndex;not null"`
+	PasswordHash        string `gorm:"not null"`
+	Role                string `gorm:"not null"`
+	ForceChangePassword bool   `gorm:"default:false"`
 }
--- a/internal/user/repository.go
+++ b/internal/user/repository.go
@@ -25,6 +25,17 @@ func (r *Repository) FindByUsername(username string) (*User, error) {
 	return &u, nil
 }

+func (r *Repository) FindByID(id string) (*User, error) {
+	var u User
+	if err := r.db.First(&u, id).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrUserNotFound
+		}
+		return nil, err
+	}
+	return &u, nil
+}
+
 func (r *Repository) Create(u *User) error {
 	return r.db.Create(u).Error
 }
@@ -37,6 +48,10 @@ func (r *Repository) GetAll() ([]User, error) {
 	return users, nil
 }

+func (r *Repository) Update(u *User) error {
+	return r.db.Save(u).Error
+}
+
 func (r *Repository) Delete(id uint) error {
 	return r.db.Delete(&User{}, id).Error
 }
--- a/internal/user/routes.go
+++ b/internal/user/routes.go
@@ -1,11 +1,17 @@
 package user

 import (
+	"ResendIt/internal/api/middleware"
+
 	"github.com/gin-gonic/gin"
 )

 func RegisterRoutes(r *gin.RouterGroup, h *Handler) {
-	//auth := r.Group("/user")
+	auth := r.Group("/user")
+	auth.Use(middleware.AuthMiddleware())
+	auth.Use(middleware.RequireRole("admin"))
+
+	auth.POST("/change-password", h.ChangePassword)

 	//auth.POST("/register", h.Register)
 }
--- a/internal/user/service.go
+++ b/internal/user/service.go
@@ -35,6 +35,66 @@ func (s *Service) CreateUser(username, password, role string) (*User, error) {
 	return u, nil
 }

+// UpdateUser updates a user's information
+func (s *Service) UpdateUser(user *User) (*User, error) {
+	if err := s.repo.Update(user); err != nil {
+		return nil, err
+	}
+	return user, nil
+}
+
+func validNewPassword(oldPassword, newPassword string) bool {
+	if oldPassword == newPassword {
+		return false
+	}
+	if len(newPassword) < 8 {
+		return false
+	}
+	//Contains 1 uppercase, 1 lowercase, 1 number
+	hasUpper := false
+	hasLower := false
+	hasNumber := false
+	for _, c := range newPassword {
+		switch {
+		case 'A' <= c && c <= 'Z':
+			hasUpper = true
+		case 'a' <= c && c <= 'z':
+			hasLower = true
+		case '0' <= c && c <= '9':
+			hasNumber = true
+		}
+	}
+	if !hasUpper || !hasLower || !hasNumber {
+		return false
+	}
+	return true
+}
+
+func (s *Service) ChangePassword(userID string, oldPassword string, newPassword string) error {
+	user, err := s.repo.FindByID(userID)
+	if err != nil {
+		return err
+	}
+
+	if !validNewPassword(oldPassword, newPassword) {
+		return ErrInvalidPassword
+	}
+
+	if !security.CheckPassword(oldPassword, user.PasswordHash) {
+		return ErrPasswordsDoNotMatch
+	}
+
+	newHash, err := security.HashPassword(newPassword)
+	if err != nil {
+		return err
+	}
+
+	user.PasswordHash = newHash
+	user.ForceChangePassword = false
+
+	return s.repo.Update(user)
+}
+
 // GetAllUsers returns all users
 func (s *Service) GetAllUsers() ([]User, error) {
 	return s.repo.GetAll()
@@ -53,3 +113,8 @@ func (s *Service) DeleteUser(requesterID, targetID uint) error {
 func (s *Service) FindByUsername(username string) (*User, error) {
 	return s.repo.FindByUsername(username)
 }
+
+// FindByID returns a user by ID
+func (s *Service) FindByID(id string) (*User, error) {
+	return s.repo.FindByID(id)
+}
--- a/internal/web/handler.go
+++ b/internal/web/handler.go
@@ -64,3 +64,7 @@ func (h *Handler) Logout(c *gin.Context) {
 	c.SetCookie("auth_token", "", -1, "/", "", false, true)
 	c.Redirect(302, "/")
 }
+
+func (h *Handler) ChangePasswordPage(c *gin.Context) {
+	c.HTML(200, "changePassword.html", nil)
+}
--- a/internal/web/routes.go
+++ b/internal/web/routes.go
@@ -2,19 +2,22 @@ package web

 import (
 	"ResendIt/internal/api/middleware"
+	"ResendIt/internal/user"

 	"github.com/gin-gonic/gin"
 )

-func RegisterRoutes(r *gin.Engine, h *Handler) {
+func RegisterRoutes(r *gin.Engine, h *Handler, userService *user.Service) {
 	r.GET("/", h.Index)
-	r.GET("/upload", h.UploadPage)
+	//r.GET("/upload", h.UploadPage)
 	r.GET("/login", h.LoginPage)

 	adminRoutes := r.Group("/")
 	adminRoutes.Use(middleware.AuthMiddleware())
 	adminRoutes.Use(middleware.RequireRole("admin"))
+	adminRoutes.Use(user.ForcePasswordChangeMiddleware(userService))

 	adminRoutes.GET("/admin", h.AdminPage)
 	adminRoutes.GET("/logout", h.Logout)
+	adminRoutes.GET("/change-password", h.ChangePasswordPage)
 }